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(54) Floating intrusion detection platforms 

(57) The present invention is a "floating" intrusion 
detection system that can use any computer on the net- 
work as an intrusion detection platform. A software 
agent program called a "socket" is installed on each 
computer that is to be available to be an intrusion de- 
tection platform. A central server contains intrusion de- 
tection software as well as a database containing knowl- 
edge based rules and profiles for detecting intrusions. 



The central server can contact any computer that has a 
socket installed and direct that computer to become an 
intrusion detection platform. The selected computer 
then downloads, installs, and runs the intrusion detec- 
tion software thus becoming an intrusion detection plat- 
form. Once the need has passed the central server can 
direct some of the platforms to stop running the software 
and return to their normal state. 
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Description 

FIELD OF THE INVENTION 

[0001] The present invention is directed to a method 
and system for providing dynamically distributed net- 
work security and intrusion detection. 

BACKGROUND OF THE INVENTION 

[0002] The importance of computer networks to com- 
panies' business interests and the interconnected na- 
ture of computer networks in the Internet era has result- 
ed in increased concern about unauthorized network in- 
trusions. When successful, these intrusions can cause 
damaging losses to the owner of the penetrated network 
in the form of vandalism, corporate espionage, theft of 
computer resources (when an intruder uses the pene- 
trated network's computer resources for their own pur- 
poses, including attacking other networks), and nega- 
tive publicity. Even just the potential of intrusion results 
in significant expenditures on computer resources to de- 
fend the network against intrusions including firewalls, 
proxy servers, and other intrusion detection and preven- 
tion systems. 

[0003] Intrusion detection platforms are known. They 
are specialized hardware or software systems that use 
knowledge based rules and artificial intelligence con- 
cepts to detect attacks on computer networks so that 
defensive action can be taken. Examples of software 
used to implement intrusion detection platforms include 
Computer Associates' SessionWall, Check Point Soft- 
ware's RealSecure, and NetworklCE's BlacklCE. 
[0004] One type of intrusion detection system uses in- 
trusion detection platforms placed at the entry points to 
networks where they inspect incoming network packets 
for signs that the packets are being employed in an at- 
tack on the network. If an attack is detected the intrusion 
detection platform may take several actions including 
alerting the system users, and refusing to allow the 
packets to enter the network. A primary drawback of 
these systems is that they require valuable computer 
hardware to be diverted from other uses and dedicated 
to simply monitoring and preventing intruders. Further- 
more, in order to protect against insiders, such as dis- 
gruntled employees, these intrusion detection platforms 
generally must be distributed throughout the network in 
order to provide protection for the entire network, and in 
the event of a large scale attack or an attack localized 
to a particular area of the network, it is difficult to add 
new platforms or relocate existing platforms on short no- 
tice. 

[0005] Another type of intrusion detection system re- 
sides on every computer in a network, and every com- 
puter monitors its own network security and reports back 
to a centralized server. These systems also have draw- 
backs because a portion of the processing power on 
every computer is dedicated to intrusion detection re- 



sulting in a loss of performance to every user. 
SUMMARY OF THE INVENTION 

5 [0006] The present invention is a "floating" intrusion 
detection system that can dynamically change which 
computers on the network are acting as intrusion detec- 
tion platforms. A software agent program called a "sock- 
et" is installed on each computer that is to be available 

10 to be an intrusion detection platform. A central server 
contains intrusion detection software as well as a data- 
base containing knowledge based rules and profiles for 
detecting intrusions. The central server can contact any 
computer that has a socket installed and direct that com- 

15 puterto become an intrusion detection platform. The se- 
lected computer then downloads, installs, and runs the 
intrusion detection software thus becoming an intrusion 
detection platform. The present invention allows the 
system to respond to network attacks or to simply re- 

20 spond to increases in network traffic by increasing the 
number of intrusion detection platforms whenever nec- 
essary. Once the need has passed, the central server 
can direct some of the platforms to stop running the soft- 
ware and return to their normal state. If a particular seg- 

25 ment of the network is being attacked, more intrusion 
detection platforms could be added in that area without 
effecting other areas of the network. The present inven- 
tion also allows a company to make more efficient use 
of their computer hardware. A computer that is used for 

30 a print server or scanner station during the work day 
could become an intrusion detection system at night 
without any human direction. 



35 



BRIEF DESCRIPTION OF THE DRAWINGS 



[0007] 



Fig. 1 illustrates an example of a network in which 
the present invention might be implemented. 

40 Fig. 2 is a flow chart illustrating one possible imple- 
mentation of the method of the present invention. 
Fig. 3 is a flow chart illustrating another possible im- 
plementation of the method of the present invention 
including a stop condition. 

45 Fig. 4 is a flow chart illustrating one possible imple- 
mentation of the method of the present invention. 
Fig. 5 is a flow chart illustrating another possible im- 
plementation of the method of the present invention 
including a stop condition. 

50 

DETAILED DESCRIPTION 

[0008] Fig. 1 is a diagram of an exemplary network 
suitable for use with the present invention. Network 1 03 
55 may be any conventional network for data transmission 
including, for example, Ethernet, token ring, or RF hard- 
ware using TCP/IP, IPv6, or another appropriate net- 
work protocol. Network 103 may also include connec- 
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tions to other networks, including the Internet, via, for 
example, a direct connection (Hub 11 9) or a dial up con- 
nection (Modem 118) and typically employs a firewall 
1 20 as a first line of defense against network intrusions. 
Connected to network 103 are servers 101 and 104 
which may be conventional file servers capable of exe- 
cuting intrusion detection server software and may in- 
clude databases 102 and 105. Connected to network 
103 may also be a variety of typical computers (108 - 
1 1 1 , 1 1 4, and 1 1 5) and workstations (113,116, and 117), 
some of which may also be connected to printers (112), 
scanners (118), or other peripheral equipment. These 
computers and workstations may also be separated into 
network segments 1 06 and 1 07. These network seg- 
ments may be physically separated, logically separated, 
or both. 

[0009] The deployment of the floating intrusion detec- 
tion system of the present invention may be controlled 
or coordinated via a floating intrusion detection server 
(e.g., server 101). This server is equipped with a data- 
base that stores information about the network for which 
the server is detecting intrusions as well as a knowl- 
edgebase containing rules that define the server's op- 
eration including rules for identifying and responding 
network intrusions, performing system maintenance, 
and scheduling predetermined system tasks. The infor- 
mation about the network that is stored in the database 
can include a network map, and/or a list of the comput- 
ers within the network and their network addresses. Us- 
ing this information the server can determine which 
computers in the network have been designated to be 
available for use as floating intrusion detection plat- 
forms. On each computer that has been so designated, 
there is a software agent program or "socket" running. 
The socket is a program that generally runs as a back- 
ground process and listens for network messages from 
the floating intrusion detection server. The floating intru- 
sion detection server can send messages to the socket 
at a computer instructing the socket to perform certain 
tasks including installing intrusion detection software, 
executing the intrusion detection software, and ceasing 
the execution of the intrusion detection software. The 
socket can also send messages back to the server con- 
taining information about the status of the computer. 
[0010] As illustrated in Fig. 2, according to one em- 
bodiment of the present invention, when server 1 01 de- 
tects or is notified of a triggering event (Step 200), such 
as a possible network intrusion, the server selects an 
appropriate computer to become an intrusion detection 
platform (Step 21 0). The server then sends a request to 
the socket on that computer to become an intrusion de- 
tection platform (Step 220). The socket then installs 
(Step 230) and executes (Step 240) the intrusion detec- 
tion software. 

[0011] For example, server 101 may receive a mes- 
sage from firewall 120 indicating that an unusual 
number of incoming network packets directed at net- 
work segment 107 have been detected. In response to 



this message, server 101 , using the information about 
the network stored in database 1 02, selects computer 
114, which is on segment 107, to become an intrusion 
detection platform. Server 101 then sends a message 

5 to the socket on computer 1 1 4, requesting that computer 
114 become an intrusion detection platform. The socket 
on computer 114 receives the request, installs the intru- 
sion detection software, and executes it. Thus an intru- 
sion detection platform has been created that is at or 

10 near the target of the network attack. 

[0012] Fig. 4 illustrates the actions taken by the socket 
on a remote computer according to one possible em- 
bodiment of the present invention. The socket receives 
a request from the intrusion detection server to become 

is an intrusion detection platform (Step 400). The socket 
installs the intrusion detection software on the computer 
on which the agent is running (Step 410). The socket 
then executes the intrusion detection software and the 
computer begins functioning as an intrusion detection 

20 platform (Step 420). 

[001 3] The installation of the software on the compu- 
ter may be accomplished in any number of ways. For 
example, the socket may download the software from a 
file server, the software may already be on the computer 

25 in a compressed archive, or the software may be at- 
tached to the request that came from the intrusion de- 
tection server. Additionally, the software installation may 
be accomplished in a multi-step process where compo- 
nents of the software are downloaded and installed from 

30 different locations. For example, the core software may 
be installed from a local archive and the latest update 
may be downloaded from a remote file server. Alterna- 
tively, the software may already be installed on the com- 
puter, and the socket only needs to check for software 

35 updates before executing the software. 

[0014] The triggering event that causes the server to 
initiate new intrusion detection platforms may be defined 
by the administrator of the system, including, for exam- 
ple, increases or decreases in network traffic, unusual 

40 network traffic patterns, detection of network attacks by 
existing intrusion detection platforms or any other sus- 
picious network activity. Additionally, the triggering 
event could simply be based on time of day, day of the 
week, etc. For example, since many network attacks oc- 

45 cur after normal working hours, the system of the 
present invention could be configured to increase the 
number of intrusion detection platforms during these 
hours. 

[0015] The intrusion detection server need not create 
50 more intrusion detection servers in response to every 
triggering event but may consider a number of factors 
before creating more platforms, including, for example, 
the number of intrusion detection platforms that already 
exist, the number of idle or underutilized eligible com- 
55 puters in the network, and predetermined minimum and 
maximum limits on the number of platforms. 
[0016] As a complement to the triggering events that 
cause more intrusion detection platforms to be created, 
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the present invention also allows for "stop conditions" 
which are events or conditions that result in a computer 
ceasing execution of the intrusion detection software. 
These stop conditions may include, for example, the 
ceasing of the triggering event or condition that caused 
the intrusion detection platform to be created, a time pe- 
riod that has elapsed since the computer became an in- 
trusion detection platform, or a request from a human 
operator. These "stop conditions" may be monitored or 
detected at the intrusion detection server which then 
sends a message to the intrusion detection platform in- 
structing it to cease operating as an intrusion detection 
platform. Alternatively, the intrusion detection platform 
may monitor the stop condition itself and cease execut- 
ing the intrusion detection software when the condition 
is fulfilled. 

[0017] Triggering events and stop conditions may be 
specific to a particular computer or they may apply gen- 
erally to all of the computers eligible to be intrusion de- 
tection platforms. For example, computer 111 may be 
designated to act as a print server for printer 112 during 
business hours and as an intrusion detection server af- 
ter hours. Server 101 may have a triggering event and 
a stop condition specific to computer 1 1 1 in order to ac- 
complish this schedule. Server 101 may also have a trig- 
gering event for a suspected network breach that directs 
server 101 to select any one (or more) of the eligible 
computers and request it to become an intrusion detec- 
tion platform. Similarly, server 101 may maintain a stop 
condition that when a network attack ceases, server 1 01 
selects a number of intrusion detection platforms and 
requests them to cease acting as intrusion detection 
platforms. 

[0018] Fig. 3 illustrates one possible embodiment of 
the present invention for monitoring the stop condition 
at the intrusion detection server. Server 101 detects a 
triggering event (Step 300), selects an appropriate com- 
puter to become an intrusion detection platform, for ex- 
ample computer 110, (Step 310), and sends a request 
to the socket on computer 110 to become an intrusion 
detection platform (Step 320). Server 101 then monitors 
to detect if the stop condition has been fulfilled (Step 
330). If the stop condition has not been fulfilled then 
server 1 01 continues to monitor, but if the stop condition 
has been fulfilled, server 101 sends a request to com- 
puter 110 to stop acting as an intrusion detection plat- 
form (Step 340). 

[0019] Fig. 5 illustrates one possible embodiment of 
the present invention for monitoring the stop condition 
at the intrusion detection platform. The socket receives 
a request from the intrusion detection server to become 
an intrusion detection platform (Step 500). The socket 
executes the intrusion detection software and the com- 
puter begins functioning as an intrusion detection plat- 
form (Step 51 0). The socket and/or the intrusion detec- 
tion software then monitors to see if the stop condition 
has been fulfilled (Step 520). This monitoring may be as 
simple as checking the date and time or the amount of 



time the computer has been functioning as a intrusion 
detection platform, or may be more sophisticated mon- 
itoring of network traffic conditions. Once the stop con- 
dition has been fulfilled, the intrusion detection software 
5 ceases executing, the socket returns to the background 
and awaits further messages from the server (Step 530) . 
[0020] Some embodiments of the present invention 
may require that a number of messages be exchanged 
between the intrusion detection server and the sockets 
io or intrusion detection software on the remote comput- 
ers. In order to protect the intrusion detection system 
from being compromised by network attackers, these 
messages may be protected cryptograph ically. For ex- 
ample, the messages may be encrypted to prevent at- 
15 tackers from reading them, digitally signed to authenti- 
cate the sender, sent with a checksum or message di- 
gest to detect tampering, or any combination thereof. 
The encryption and digital signatures could use any of 
a number of well known techniques including RSA and 
DES. A number of secure checksum techniques are al- 
so known in the art. 

[0021] To further protect the intrusion detection sys- 
tem from tampering or simple equipment failure, a sec- 
ondary server may be employed in the system that 
maintains copies of the data on the primary server and 
immediately takes over if the primary server ceases op- 
erating correctly. This may be accomplished, for exam- 
ple, by server 101 sending updates to server 104 and 
database 1 05, or alternatively, server 104 could monitor 
server 10Vs network traffic in order to monitor server 
101's activities. 

[0022] The present invention is not limited to the spe- 
cific embodiments described. It is expected that those 
skilled in the art will be able to devise other implemen- 
tations that embody the principles of the present inven- 
tion and remain within its scope. 



Claims 

1. A method for implementing an intrusion detection 
system in a network, comprising: 

receiving a request at a software agent pro- 
gram to initiate intrusion detection services on 
a remote computer; 

installing intrusion detection software on said 
remote computer via said software agent pro- 
gram; and 

executing said intrusion detection software on 
said remote computer via said software agent 
program. 

2. The method of claim 1 further comprising: 

receiving a request to terminate intrusion de- 
tection services at said software agent program. 

3. The method of claim 2 further comprising: 
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monitoring for fulfillment of a stop condition. 

4. The method of claim 3 wherein said stop condition 
is based on network traffic conditions. 

5. The method of claim 3 wherein said stop condition 
is an expiration time. 

6. The method of claim 1 further comprising the step 
of: 

receiving notification of a network intrusion. 

7. The method of claim 6 further comprising the step 
of: 

selecting said remote computer from a plural- 
ity of eligible computers. 

8. The method of claim 7 wherein said selecting step 
is accomplished based on a network map. 

9. The method of claim 7 wherein said selecting step 
is accomplished based on a knowledge base. 

10. The method of claim 1 wherein said request is ver- 
ified using a cryptographic authentication scheme. 

11. The method of claim 1 wherein said request in- 
cludes a stop condition indicating when to stop ex- 
ecuting the intrusion detection software. 

12. The method of claim 11 wherein said stop condition 
is an expiration time. 

13. The method of claim 1 1 wherein said stop condition 
is based on network traffic conditions. 



1 9. The method of claim 1 7 wherein said stop condition 
is based on network traffic conditions. 

20. The method of claim 1 7 further comprising the step 
5 of: 

when said stop condition is fulfilled, ceasing 
execution of said intrusion detection software. 

21 . The method of claim 20 wherein said request is ver- 
10 jfied using a cryptographic authentication scheme. 

22. The method of claim 20 further comprising the step 

of: 

when said intrusion detection software has 
15 ceased executing, un-installing said intrusion de- 
tection software. 



20 



23. A system for detecting intrusions in a computer net- 
work comprising: 



a plurality of computers executing software 
agents; 

an intrusion detection server; and 
a database, 

25 wherein said intrusion detection server sends 

a request to execute intrusion detection soft- 
ware to a software agent at at least one of said 
plurality of computers when intrusion detection 
services are needed based on information con- 

30 tained in said database. 

24. The system of claim 23 wherein said intrusion de- 
tection server increases the number of said plurality 
of computers executing intrusion detection software 
35 when a network intrusion is detected. 



14. The method of claim 7 wherein said request is ver- 
ified using a cryptographic authentication scheme. 

15. A method for implementing an intrusion detection 
system on a computer connected to a network, 
comprising: 

receiving a request to become an intrusion de- 
tection platform from a remote network loca- 
tion; and 

executing said intrusion detection software, 

16. The method of claim 15 further comprising: 

installing intrusion detection software on said 
computer. 

17. The method of claim 15 wherein said request in- 
cludes a stop condition indicating when to stop ex- 
ecuting the intrusion detection software. 

1 8. The method of claim 1 7 wherein said stop condition 
is an expiration time. 



25. The system of claim 23 wherein said intrusion de- 
tection server changes the number of said plurality 
of computers executing intrusion detection software 

40 when the level of network traffic changes. 

26. The system of claim 23 wherein said intrusion de- 
tection server changes the number of said plurality 
of computers executing intrusion detection software 

45 depending on the time of day. 

27. The system of claim 23 wherein said database con- 
tains information about the plurality of computers. 

so 28. The system of claim 27 wherein said information in- 
cludes a map of said computer network. 

29. The system of claim 23 wherein said database con- 
tains a knowledgebase. 

55 

30. An article of manufacture comprising a computer- 
readable medium having stored thereon instruc- 
tions adapted to be executed by a processor, the 



5 



9 



EP1 160 646 A2 



Instructions which, when executed, define a series 
of steps to be used to perform network intrusion de- 
tection, said steps comprising: 

receiving a request at a software agent pro- 5 
gram to initiate intrusion detection services on 
a remote computer; 

installing intrusion detection software on said 
remote computer via said software agent pro- 
gram; and 10 
executing said intrusion detection software on 
said remote computer. 



31. The article of manufacture of claim 30 further com- 
prising the step of: 15 
receiving notification of a network intrusion. 

32. The article of manufacture of claim 31 further com- 
prising the step of: 

selecting said remote computer from a plurality of 20 
eligible computers. 

33. The article of manufacture of claim 32 wherein said 
selecting step is accomplished based on a network 
map. 25 

34. The article of manufacture of claim 32 wherein said 
selecting step is accomplished based on a knowl- 
edge base. 

30 

35. The article of manufacture of claim 30 wherein said 
request is verified using a cryptographic authenti- 
cation scheme. 



36. The article of manufacture of claim 30 wherein said 35 
request includes a stop condition indicating when 

to stop executing the intrusion detection software. 

37. The article of manufacture of claim 36 wherein said 
stop condition is an expiration time. 40 

38. The article of manufacture of claim 36 wherein said 
stop condition is based on network traffic condi- 
tions. 

45 
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